Re: [OSL | CCIE_Security] VPN in ASA Ver8.0, Tunnel group

[Kingsley Charles]

Hi D.M.Gore

Yes, even I noticed it. This commands makes the certificate available in
IKE. As per the syntax, this is valid only when the connection is initiated.
I think,
if LAN to LAN IPSec should respond (bi-directional connection) then we
should use trustpoint in the tunnel group.

Let's wait for other's input.

asa(config)# crypto map mine 2 set ?
configure mode commands/options:
  connection-type       Specify connection-type for site-site connection
based
                        on this entry
  inheritance           Specify inheritance(data or acl rule) to be used
while
                        initiating a connection based on this entry
  nat-t-disable         Disable nat-t negotiation for connections based on
this
                        entry
  peer                  Set IP address of peer
  pfs                   Specify pfs settings
  phase1-mode           Specify mode(main or aggressive) to be used while
                        initiating a connection based on this entry
  reverse-route         Enable reverse route injection for connections based
on
                        this entry
  security-association  Security association duration
  transform-set         Specify list of transform sets in priority order
  trustpoint            Specify trustpoint that defines the certificate to
be
                        used while initiating a connection based on this
entry


asa(config)# tunnel-group mine ipsec-attributes
asa(config-tunnel-ipsec)# ?
tunnel-group configuration commands:
  chain             Enable sending certificate chain
  exit              Exit from tunnel-group IPSec attribute configuration
mode
  help              Help for tunnel group configuration commands
  isakmp            Configure ISAKMP policy
  no                Remove an attribute value pair
  peer-id-validate  Validate identity of the peer using the peer's
certificate
  pre-shared-key    Associate a pre-shared key with the connection policy
  trust-point       Select the trustpoint that identifies the cert to besent
to
                    the IKE peer


On Mon, Sep 7, 2009 at 8:32 AM, Dnyaneshwar Gore <swap.gore2...@gmail.com>wrote:

> Hi All,
>
> In Lan to Lan IPsec type, Is tunnel group unidirectional only for incoming
> traffic?
>
> I am asking this quetsion because in case of certificate based
> authentication, follwoing command is used to initiate tunnel from ASA side
> "crypto map VPN 10 set trustpoint *remote peer ID"*
> **
> **
>
> Regards,
> D.M.Gore
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com